Oh to be young. The teen years are filled with so many rites of passage—learning to drive, going to prom, braces: off, college search: on. But if sitting at your computer and testing the limits of the cyber world are more your style, seriously messing with an enterprise business or government organization is your golden ring.

Four men—boys, perhaps, is a better term—have been arrested thus far in connection with the most recent TalkTalk data breach. All from the UK, their ages range from 15 – 20, and are suspected of violating the Computer Misuse Act.

They join a growing cadre of young cyber celebs allegedly responsible for major hacking offenses, website crashes and defacement, and 0-day public disclosures:

  • In 2012, a 12-year-old pleaded guilty in a Quebec court to a range of hacking offenses including DDoS attacks, website vandalism, and illegal database access.
  • In August, 18-year-old Luca Todesco caught the ire of Apple with his 0-day disclosure on GitHub of a vulnerability widely affecting Macs.
  • Also in August, Charlton Floate, 19, crashed both the Home Office and FBI websites, the latter seen as a ‘Holy Grail’ among hackers.
  • Just a few weeks ago in October, a young man took credit for hacking CIA Director John Brennan’s personal email, accessing his security clearance form, social security numbers, and government letters on “harsh interrogation techniques.”

Looking Totally Un-Cool

Now, should CISOs of enterprise networks view high schoolers as the number one threat to their organization’s security? Probably not. The age of the hacker may carry more weight in PR than actual risk.

In a recent Sunday Times interview, former Anonymous-affiliated hacker Christopher Weatherhead may have put it best: “It says a lot if the company’s entire security infrastructure is faulted by a 15-year-old.” In the same edition, Ewan Lawson, senior research fellow at the Royal United Services Institute echoed that sentiment, saying, “If it is really down to some 15-year-old schoolboy in Northern Ireland, that says more about TalkTalk than it says about his capabilities.”

While the TalkTalk attack is expected to be smaller than initially thought, the broadband provider is taking a very public hit. The fact that some of those responsible for the latest breach aren’t even old enough to drive only adds insult to injury.

The October breach marks the third data breach for the company in one year, and claims have emerged that TalkTalk failed to encrypt customer data and “made some rather unfortunate decisions,” regarding security. They seem to be an easy target—poor initial defenses and slow to learn from their mistakes.

The silver lining in all this may not be for TalkTalk itself, but to other companies: if you can avoid being the easiest target, the attackers may pass you by for lower hanging fruit.

New Toys

The Library of Congress—always a hit among kids these days—is getting hip to hacking, to some degree. It recently expanded the Digital Millennium Copyright Act to legalize hacking of car’s internal software, medical devices, smart TVs, and modify video games and jailbreak smart phones.

After a banner year for carhacks and spurred by the Volkswagen emissions testing scandal, LOC was convinced it was time to open up car software to “good faith security research.”

The DMCA exception to automotive software will take a least a year to be implemented.

So expect 2016 and onward to be fraught with vulnerability discovery. It will make for some wracked nerves and white-knuckle driving, but in the end, this new window of research should make our internet-connected world a lot safer. And it will likely be some fresh faces driving that change.

 

Resources

You can’t disappear from the attackers’ radar completely, but with 5 best practices, you can reduce your window of vulnerability. Learn how leveraging attack surface visibility, analytic-driven intelligence, and context-aware risk prioritization gives you the situational awareness you need to stay secure and contain attacks quickly.

Know how to respond to attacks before they happen. With Skybox Vulnerability Control’s attack simulation capabilities, you can run scrimmage on your network to visualize threats from any origin, their attack paths, and how to better secure business-critical assets. Utilizing the Skybox network model, do it all without any disruption to your live network.